Huawei AppGallery vulnerability allows anyone to download paid app or game for free

Recently, security researchers have disclosed a vulnerability in the Huawei AppGallery, which mainly affects developers. Through this vulnerability, anyone can bypass Huawei’s account system and payment system and directly download applications or games that would otherwise require payment. The researchers have notified Huawei of the vulnerability, but it has not yet been fixed, and it is not known when Huawei is going to fix the vulnerability.

Researchers have discovered a vulnerability in an API in the Huawei AppGallery, which can be used to return the APK download link of any application or game. That is to say, you only need to copy the address of the paid application or game and use this API to download it. After downloading, you can install it directly without any hindrance. This issue mainly affects developers, especially those offering paid apps or games, as it is easy to extract the installation package from Huawei AppGallery.
It should be emphasized that Huawei also provides a DRM SDK protection mechanism, but the premise is that the developer has already used this SDK, otherwise a paid app without DRM protection could be freely distributed to others after only a single purchase. If the DRM SDK is used, even if the installation package is obtained, it cannot be used normally. During testing, the researchers found that some games were blocked using this SDK.

Via: 9to5google